US Office of Management and Budget Memorandum on Software Supply Chain Security
In a memorandum for the heads of executive departments and agencies, the US Office of Management and Budget (OMB) requires agencies to comply with US National Institute of Standards and Technology (NIST) guidance regarding software supply chain security. NIST developed best practices guidelines for the software supply chain, NIST Secure Software Development Framework (SSDF), SP 800-218, and the NIST Software Supply Chain Security Guidance, to comply with the May 2021 cybersecurity executive order. The memorandum notes that “agencies are required to obtain a self-attestation from the software producer before using the software.”
If you’re a software producer with any sales in federal government space, this is huge. You’ll have 365 days (or 270 days if your software is considered “critical” by the procuring agency) to get your attestations together. While the agency standard attestation forms are not yet released, software producers should be looking at SP 800-218 now and beginning their gap assessments now as most development orgs do not meet the requirements in SP 800-218.
This is a big (huge) deal as the scope includes firmware, operating systems, applications and application services (a.k.a. cloud service) as well as all products containing software. Read the scope carefully as it also limits the requirement to software developed, or major versions changes to existing software after the memorandum date. Agencies are already identifying critical software as part of FISMA data reporting to DHS. Critical software includes software that provides security services such as firmware, operating systems, EDR, etc. If you have federal customers, brush up on the memo and 800-218 to develop a plan for providing attestation to your customers.
I always worry when I see phrases such as “agencies are required to obtain a self-attestation from the software producer before using the software.” Time and time again we have witnessed self-regulation industry fail the consumer and customers. Which is why I find the EU proposal for the Cyber Resilience Act which will require independent certification relating to the security of hardware and software devices an exciting and promising development as vendors will legally be required to ensure their products meet minimum security standards. https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act
One small step in the essential direction of holding suppliers accountable for any malicious code that they ship.